P
US10003591B2ActiveUtilityPatentIndex 99

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

Assignee: PLAID TECH INCPriority: Sep 8, 2015Filed: Sep 7, 2016Granted: Jun 19, 2018
Est. expirySep 8, 2035(~9.2 yrs left)· nominal 20-yr term from priority
Inventors:HOCKEY WILLIAMKELLY MICHAEL
H04L 2463/102H04L 63/0807H04L 9/3213H04W 12/06H04L 63/0892G06Q 20/385H04L 9/3228H04W 12/082
99
PatentIndex Score
109
Cited by
252
References
14
Claims

Abstract

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user's account.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system comprising:
 a first computing device associated with a user; 
 a second computing device associated with an institution; and 
 a third computing device associated with a permissions manager, 
 wherein:
 the third computing device is in communication with a fourth computing device associated with an external application; 
 the first computing device is configured to:
 execute a plug-in comprising javascript code provided by the second computing device or the third computing device; 
 receive, from the user and via the plug-in, account credentials associated with an account of the user held by the institution; 
 communicate the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and 
 not store the account credentials; 
 
 the second computing device is configured to:
 receive, from the first computing device, information associated with an authorization request, the information including at least:
 the account credentials, 
 an indication of the account of the user held by the institution, and 
 an indication of the external application as being associated with the authorization request; 
 
 generate at least:
 an electronic record of the information including the account credentials, and 
 a token associated with the electronic record; and 
 
 provide the token to the first computing device via the plug-in executing on the first computing device; 
 
 the first computing device is further configured to:
 via the plug-in, receive the token and communicate the token to the third computing device; 
 
 the third computing device is configured to:
 receive the token, wherein the token is associated with the institution, the external application, and the account of the user; 
 receive, from the fourth computing device, a request for account data associated with the account of the user; and 
 in response to receiving the request for account data from the fourth computing device:
 identify the token as being associated with the external application and the account of the user; and 
 communicate, to the second computing device associated with the institution, the token and the request for account data; 
 
 
 the second computing device is further configured to:
 receive, from the third computing device, the token and the request for account data; 
 verify, using the token, authorization of the external application to receive the account data; 
 access the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and 
 communicate, to the third computing device, the account data associated with the account of the user; and 
 
 the third computing device is further configured to:
 receive, from the second computing device, the account data; and 
 communicate the account data to the fourth computing device, and 
 
 
 wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application. 
 
     
     
       2. The system of  claim 1 , wherein:
 the second computing device is further configured to:
 receive, from the first computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and 
 in response to the request to deauthorize access, update the electronic record to indicate a revocation of the token or a revocation of access to the user account associated with the token. 
 
 
     
     
       3. The system of  claim 2 , wherein:
 the information further includes one or more permissions that indicate constraints on authorization of the external application to access the account data; and 
 the second computing device is further configured to:
 store the one or more permissions in the electronic record; and 
 determine, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data. 
 
 
     
     
       4. The system of  claim 3 , wherein:
 the second computing device is further configured to:
 in response to receiving the information associated with the authorization request, provide, to the first computing device, a request for additional information, wherein the authentication information includes at least one of: multi-factor authentication information, a selection of the user account of the one or more user accounts, or an indication of agreement to a document. 
 
 
     
     
       5. The system of  claim 4 , wherein:
 the second computing device is further configured to:
 receive, from the first computing device, a response to the request for additional information, wherein the token is not provided to the first computing device until after the response is received. 
 
 
     
     
       6. The system of  claim 3 , wherein:
 the third computing device is further configured to:
 provide a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier. 
 
 
     
     
       7. The system of  claim 6 , wherein:
 the third computing device is further configured to:
 provide a public token or key to the fourth computing device; 
 receive, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and 
 verify the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application. 
 
 
     
     
       8. A computer-implemented method comprising:
 by a first computing device comprising one or more processors executing program instructions, the first computing device being associated with a user:
 executing a plug-in comprising javascript code provided by a second computing device or the third computing device; 
 receiving, from the user and via the plug-in, account credentials associated with an account of the user held by the institution; 
 communicating the account credentials to the second computing device via a secure connection provided, in part, by the plug-in; and 
 not storing the account credentials; 
 
 by the second computing device comprising one or more processors executing program instructions, the second computing device being associated with an institution:
 receiving, from the first computing device, information associated with an authorization request, the information including at least:
 the account credentials, 
 an indication of the account of the user held by the institution, and 
 an indication of the external application as being associated with the authorization request; 
 
 generating at least:
 an electronic record of the information including the account credentials, and 
 a token associated with the electronic record; and 
 
 providing the token to the first computing device via the plug-in executing on the first computing device; 
 
 further by the first computing device:
 via the plug-in, receiving the token and communicate the token to a third computing device; 
 
 by the third computing device comprising one or more processors executing program instructions, the third computing device being associated with a permissions manager:
 receiving the token, wherein the token is associated with the institution, the external application, and the account of the user; 
 receiving, from a fourth computing device, a request for account data associated with the account of the user, the fourth computing device being associated with an external application; and 
 in response to receiving the request for account data from the fourth computing device:
 identifying the token as being associated with the external application and the account of the user; and 
 communicating, to the second computing device associated with the institution, the token and the request for account data; 
 
 
 further by the second computing device:
 receiving, from the third computing device, the token and the request for account data; 
 verifying, using the token, authorization of the external application to receive the account data; 
 accessing the account data from the account of the user using the account credentials stored in the electronic record associated with the token; and 
 communicating, to the third computing device, the account data associated with the account of the user; and 
 
 further by the third computing device:
 receiving, from the second computing device, the account data; and 
 communicating the account data to the fourth computing device, and 
 
 wherein neither the account credentials nor the token is communicated to the fourth computing device associated with the external application. 
 
     
     
       9. The computer-implemented method of  claim 8  further comprising:
 further by the second computing device:
 receive, from the first computing device or another computing device associated with the user, a request to deauthorize access to the account data by the external application; and 
 in response to the request to deauthorize access, update the electronic record to indicate a revocation of the token or a revocation of access to the user account associated with the token. 
 
 
     
     
       10. The computer-implemented method of  claim 9 , wherein:
 the information further includes one or more permissions that indicate constraints on authorization of the external application to access the account data; and 
 the computer-implemented method further comprises:
 further by the second computing device:
 storing the one or more permissions in the electronic record; and 
 determining, based on the one or more permissions, whether the request for account data exceeds the constraints on the authorization of the external application to access the account data. 
 
 
 
     
     
       11. The computer-implemented method of  claim 10  further comprising:
 further by the second computing device:
 in response to receiving the information associated with the authorization request, providing, to the first computing device, a request for additional information, wherein the authentication information includes at least one of: 
 
 multi-factor authentication information, a selection of the user account of the one or more user accounts, or an indication of agreement to a document. 
 
     
     
       12. The computer-implemented method of  claim 11  further comprising:
 further by the second computing device:
 receiving, from the first computing device, a response to the request for additional information, wherein the token is not provided to the first computing device until after the response is received. 
 
 
     
     
       13. The computer-implemented method of  claim 8  further comprising:
 further by the third computing device:
 providing a unique identifier associated with the token, but not the token, to the fourth computing device, wherein the request for user account data includes the unique identifier. 
 
 
     
     
       14. The computer-implemented method of  claim 13  further comprising:
 further by the third computing device:
 providing a public token or key to the fourth computing device; 
 receiving, from the fourth computing device, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and 
 verifying the validity of the authentication information based at least in part on information associated with the secret key and the identifier associated with the external application.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.